An insufficient encryption vulnerability exists in the Device Authentication functionality of GeoVision GV-IP Device Utility 9.0.5. Listening to broadcast packets can lead to credentials leak. An attacker can listen to broadcast messages to trigger this vulnerability. When interacting with various Geovision devices on the network, the utility may send privileged commands; in order to do so, the username and password of the device need to be provided. In some instances the command is broadcasted over UDP and the username/password are encrypted using a cryptographic protocol that appears to be derivated from Blowfish. However the symmetric key used for the encryption is also included in the packet, and thus the security of the username/password only relies on the "obscurity" of the encryption scheme. An attacker on the same LAN can listen to the broadcast traffic once an admin user interacts with the device, and decrypt the credentials using their own implementation of the algorithm. W
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-7161 exposes a critical flaw in GeoVision GV-IP Device Utility 9.0.5 where privileged device authentication credentials are transmitted via unencrypted broadcast packets across the network. When users issue commands to GeoVision devices, the utility broadcasts usernames and passwords in cleartext rather than encrypting them, allowing any attacker on the same network segment to passively intercept these credentials without authentication or complex exploitation. This vulnerability affects organizations deploying GeoVision IP cameras and surveillance systems, particularly in environments where network access controls are not strictly enforced. With a CVSS score of 9.3, this represents a critical risk for credential compromise and unauthorized device access.
While MITRE ATT&CK techniques are not formally mapped to this CVE, Casky's 754 security skills enable detection of the underlying attack patterns through Claude AI's extended reasoning capabilities. Practitioners would observe findings related to credential exposure and network reconnaissance—specifically unusual broadcast traffic patterns originating from GeoVision utility instances, anomalous authentication attempts using extracted credentials, and lateral movement attempts targeting networked IP cameras. Casky's skills would flag the absence of encryption on device authentication channels, suspicious credential usage from unexpected network locations, and patterns consistent with credential harvesting from broadcast protocols. Security teams would receive alerts on unencrypted authentication traffic, failed device access attempts using harvested credentials, and changes to device configurations following credential compromise—enabling detection of both the vulnerability exploitation and post-compromise activity.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-7161. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation